Issue #3593017: Guide Key choice on the add-secret form and add a value generator

Frank Mablyrequested to merge
issue/audit_trail-3593017:3593017-add-secret-form into 1.x

What this does

Resolves #3593017. The add-secret form (AuditTrailSecretForm) silently filtered the Key dropdown to Encryption / 256-bit Keys and gave no guidance; on a site with no eligible Key the select was an empty dead end.

Changes

  • State the requirement in the key_id description: the Key must be of type Encryption, sized 256 bits (32 bytes) - what HMAC-SHA256 signing needs - and other types/sizes are intentionally hidden. Links to add / manage Keys (entity.key.add_form, entity.key.collection).
  • Empty state: a concise warning with a create-Key link; the Key select and the Save button are disabled so the operator cannot get stuck or submit.
  • Optional value generator, collapsed at the bottom so it adds no noise. The 256-bit value is produced in the browser via the Web Crypto API only when the operator clicks Generate - never pre-generated, never sent to the server. Copy uses execCommand first so it also works on non-HTTPS admin hosts. The help text tells the operator to paste the value and tick Base64-encoded, because drupal/key only round-trips Base64 for an Encryption Key (its text input base64-decodes before the 32-byte size check; an un-ticked paste is read as 44 bytes and rejected).

Out of scope (per the issue): a hook_help overview.

Test

AuditTrailSecretFormTest (Functional) covers the empty state (warning, disabled Save, generator scaffold) and that an eligible Encryption / 256-bit Key is offered with the requirement stated.

Verified locally: functional 2 tests / 12 assertions green; PHPCS (Drupal,DrupalPractice) and CSpell clean; JS validated. Behavior also confirmed end to end in the acte-generator stack.

Merge request reports